To support the Windows as a Service strategy with cloud services we rely on the well known Windows Update service, but with the controls for business usage. This is called Windows Update for Business (WUfB). That means our content is provided by Microsoft Update servers and we define the installation behavior like deferrals or even pause of feature or quality updates. The WUfB settings can be configured in Intune via Software Udpates. This article will not show the details of the WUfB settings. To monitor the Delivery Optimization Performance we have the Delivery Optimization Status in the Windows Analytics solution – Update Compliance.

You can use Delivery Optimization to reduce bandwidth consumption by sharing the work of downloading these packages among multiple devices in your deployment. Delivery Optimization can accomplish this because it is a self-organizing distributed cache that allows clients to download those packages from alternate sources (such as other peers on the network) in addition to the traditional Internet-based Windows Update servers.

How does Delivery Optimization work in detail?

First of all the published content must be chunked and hashed. Currently Microsoft supports the following content:

The clients will check-in to the Delivery Optimization cloud service as long as the content is valid in its cache. This is necessary to let DO service keep track of devices and let it distribute peer info to requesting clients.

The Delivery Optimization has multiple Download Modes and this is an important part for successful utilization of DO. It configures the logical grouping of devices based on certain criteria. In this example we set Download Mode to Group and we use a custom group ID. This custom Group ID can be delivered by DHCP as an Option ID with code 234 when using upcoming Windows 10 Version 1803.

Group download mode is the recommended option for most organizations looking to achieve the best bandwidth optimization with Delivery Optimization.

The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs.

The DO Peer 2 Peer traffic is a direct TCP/UDP connection on port 7680.

Now we can build effective groups aligned with our networking infrastructure to restrict P2P traffic to physical sites, multiple sites, subnets, what ever we want.

How to configure DO with Intune?

At time of this writing I’m using the Insider Preview for the upcoming Windows 10 Version 1803 to test and include settings which are really worth to mention in this context.

I won’t get into details about every available setting but I will show a complete setup to test DHCP Option ID as source for Group ID.

For production environments please review all available MDM Delivery Optimization settings and adjust as needed for your environment. For example DOMaxCacheAge, DOMinBackgroundQoS, DOPercentageMaxBackgroundBandwidth , and DOMinBatteryPercentageAllowedToUpload might be from interest for production environments. Remember to check for new settings with every new Version of Windows 10!

Test to verify everything works as expected!

Make sure the settings are applied to the test devices. Generate a advanced diagnostic report:

Open Settings > Accounts > Access work or school > Connected to TenantName’s Azure AD > Info > scroll down to the bottom and click “Create report”

Important settings to verify:

Test procedure:

On Client A start a download from the Store with 100MB+ download size and wait for finish. You should observe a throttled download when using VMs with setting DOPercentageMaxForeDownloadBandwidth.

On Client B start the same download from the Store and wait for finish. You should notice a significant faster download on Client B, as it will receive data from local peer without restrictions when tested with VMs and mentioned settings above.

Since Windows 10 Version 1803 we can generate a DO log file to trace the behavior:

19 replies to Configure Delivery Optimization with Intune for Windows Update for Business

Hi Mike,
no you can use DeliveryOptimization even with Windows 10 Version 1511. Every new version brought us new options to configure and in the last insider preview (pre-release of 1803) we have DeliveryOptimization/DOGroupIdSource. That was the particular setting what I demonstrated. So you can use DO also without the latest options. On the documentation https://docs.microsoft.com/en-us/windows/client-management/mdm/policy-csp-deliveryoptimization you find a table which is listing the supported versions like Enterprise or Pro and there are small side notes like 1, 2, 3, or 4 they are for version 1607, 1703, 1709 and 4 is for next major version which is 1803 at the moment.
ok

Excellent. Testing in the lab now using 1709 by creating a Profile and custom Group ID for each location using ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DOGroupId. Can’t wait to be able to use DHCP. Very nice info. Thanks!

the post relates to “HTTP blended with peering across private group” in fact the OMA-URI: ./Vendor/MSFT/Policy/Config/DeliveryOptimization/DODownloadMode=2 is exactly the option “HTTP blended with peering across private group”. So you can build a Servicing ring in Intune under Software Updates and choose “HTTP blended with peering across private group”. It the same as the OMA-URI. Then you only need to configure DOGroupIdSource to use the DHCP Option if you like.

0 – HTTP only, no peering.
1 (default) – HTTP blended with peering behind the same NAT.
2 – HTTP blended with peering across a private group. Peering occurs on devices in the same Active Directory Site (if it exists) or the same domain by default. When this option is selected, peering will cross NATs. To create a custom group use Group ID in combination with Mode 2.
3 – HTTP blended with Internet peering.
99 – Simple download mode with no peering. Delivery Optimization downloads using HTTP only and does not attempt to contact the Delivery Optimization cloud services. Added in Windows 10, version 1607.
100 – Bypass mode. Do not use Delivery Optimization and use BITS instead. Added in Windows 10, version 1607.

Hi Jan,
the only limitation you can set at the moment is a limit by kbps or percentage and this only for all or background or foreground downloads. No differentiation between LAN or internet upload currently.

Excellent article. However, running into one issue where the GUID defined on DHCP Scope Options 234 is not getting written to the Win 10 1803 Ent computer’s registry. Does not look like its querying the DHCP. In GPO, I set Download Mode to 2 and GroupID Source to 3 which successfully pushed down to the client and written to its registry. Any pointers would greatly be appreciated.

the DHCP option ID request for GroupID does not write the received value in the registry. The value is queried for all requests, so roaming clients get the new GUID in a new DHCP scope. You can analyse the DO Logs if the client uses the DO Group ID.
use this: Get-DeliveryOptimizationLog | where Message -Match ‘GroupId’
The output should get you an indicator if a GroupId is used. Sadly the GroupId is encoded so you can’t match it to the GroupId in your DHCP scope.

Thank you very much Oliver! I did look at the logs and what really confused me was that the GroupId in logs did not match what was set on the DHCP Scope Options 234. Thanks for clarifying that encoded GroupId displays on the logs. I’m following you on Twitter now!

Microsoft is using DO currently in the monthly Channel of Office 365 ProPlus. I suspect it to be integrated in the next semi-annual channel but this is not sure as there is no official announcement right now for it. Remember if you use the monthly channel you only have support for this version until the next monthly channel is released. So you are able to test it with monthly channel and you can track it in Windows Analytics under Update Compliance – Delivery Optimization. 👍

Hi Oliver,
I have a question about the GUIDs for the DHCP Scopes. Are the GUIDs generated automatically? Or do they need to be manually populated?
The reason I’m asking is I’m trying to rationalise the comment you made

“The custom group id delivered by DHCP for scoped devices will let us take control over the grouping. We can assign multiple DHCP scopes the same Group ID or different Group IDs. That’s how we build our device collections and control the peer 2 peer traffic even across NATs”

Does the above comment mean that you manually made a GUID and assigned that same GUID to a set of DHCP Scopes that are on the same LAN?
Regards,
Ivan

Hi Ivan,
yes you create it manually and assign it to a DHCP scope. It is up to you to which scope you are assigning a different or the same GUID. That’s the way how you build you groups of devices which should belong in the same DO P2P group.

I know this thread is old but it is a great post with lots of information. I have a question about the GUIDs, I know we have to come up with our own GUID for each scope…Is there a guideline for what the GUID should be or look like. I see the one you are using, do they all have to be in that format, or can I use a simple 5 digit number?

it needs to be exactly in this format. Just use New-Guid and generate new ones as needed. The guid is used as a global unique identifier you should really use a unique generated one with PS comamnd New-Guid.